The directory “%windir%\temp” in the system image is present but empty.

The presence of these registry entries is evidence that (one of) the system(s) used to build and capture the POSReady 2009 evaluation system image were infested with malware, and that either the infestation was not detected at all (bad) or the infestation was detected, but incompletely (or accidentially, when “%windir%\temp” was cleared) “removed” and a compromised system used to build the system image (worse).

To complete the picture: the ACLs on the directory “%windir%\temp” in systems installed from this image/CD allow unprivileged users to create a subdirectory “sso” in “%windir%\temp” and then the “ssoexec.dll”, allowing them to have their code run under every (other) user account used to log on afterwards, resulting in a privilege escalation.

This has been brought to the vendors (Microsoft) attention in the following manner. – Stefan Kanthak